Chaining Multiple Authentication Modules

You can use the administration console to chain multiple authentication
modules to work together as single a authentication service . When
multiple authentication modules are chained together, the end-user
must authenticate at least one of authentication modules in defined
in the authentication group. Or the user may be required to authenticate
to all of the modules, depending upon on how authentication chaining
is configured.

The following instructions demonstrate chaining the DataStore
Authentication module and Windows Desktop SSO Authentication module
to work together as an authentication service. Using this configuration,
an end-user can access OpenSSO Enterprise using the authentication
service name. Example: http://openSSO.example.com/amserver/UI/Login?service=WinSSOService.

To Configure Authentication Chaining

Log in to the OpenSSO Enterprise admnistration console
as amadmin.

Go to Access Control > Default Realm >
Authentication.

Define a new instance of the Windows Desktop SSO Authentication
module.

Go to Access Control? > Default Realm >
Authentication.

Define new instance of Authentication Chaining.

Click the New button for Authentication Chaining.

Provide a name for this chain, and then click OK. Example name: WinSSOService.

Click Add, and then choose the first authentication module
to be executed in this chain.

In this example, Windows
Desktop SSO is the first module to be executed.

For Criteria, choose Sufficient.

Click Add, and then choose the next authentication module
in the chain to be executed.

In this example, Data Store
is the next module to be executed.

For Criteria, choose Sufficient.

Go to Access Control > Default Realm>
Authentication, and save this new chaining configuration.

To Test Authentication Chaining

Log in to a Windows XP Domain Controller and start any
browser that is enabled for the SPNEGO protocol.

Go to the OpenSSO Enterprise URL configured with the authentication
service name.

If a user can log into Windows XP Domain Controller successfully,
the browser sends a Kerberos ticket to the OpenSSO Enterprise server,
and the user is successfully authenticated using the Windows Desktop
SSO Authentication module. .

If the user cannot authenticate to the first authentication
module, then OpenSSO Enterprise prompts for user name and password
and tries to authenticate using the Data Store Authentication module.
If authentication fails, then the administrator should troubleshoot
the authentication failure. For a short list of solutions for the
most common error messages related to Windows Desktop SSO Authentication,
see Troubleshooting Windows Desktop SSO Authentication Issues.

To Use the Windows Desktop SSO Authentication
Module with a Load Balancer

All OpenSSO Enterprise authentication modules, including the
Windows Desktop SSO Authentication module, can be accessed through
a load balancer. The Windows Desktop SSO Authentication module requires
some special configuration.

Create an Active Directory domain account in Windows 2003
or in the Kerberos service principal.

When you generate the keytab file for he Windows Desktop
SSO Authentication, you have to specify the load balancer FQDN.

Example: HTTP://opensso-lb.example.com. If
you don't specify the fully-qualified domain name, authentication
will fail.

Copy the keytab file to all OpenSSO Enterprise servers,
and put place in under the same directory in each server.

Example
location: /etc/ SUNWam/config.

Create a new Windows Desktop SSO Authentication module
and Configure it with the newly copied keytab file.

Restart all the OpenSSO Enterprise servers and test the
new module through the load balancer.

You can configure the Windows Desktop SSO authentication module
to work with multiple Kerberos Domain Controllers. This is useful
for deploying a failover Kerberos server.

When you configure the Windows Desktop SSO authentication module
with a keytab file from one of the trusted domain controllers, any
user belonging to any of the trusted domains can authenticate through
the Windows Desktop SSO authentication module. Administrators can
configure and manage trust relationships in environments containing
multiple Active Directories.

To make the Windows domain controller a part of the trusted
nodes, and to make the Windows domain controller work with the Windows
Desktop SSO authentication module, the following conditions must be
met:

You must use Windows 2003 or a later version.

The domain controller functional level must be set
at Windows Server 2003.

Trust must be configured.

Trust configuration is beyond the scope of this document. The
following links provide useful related information: